About a month ago, we kicked off our Patch Reward Program. The goal is very simple: to recognize and reward proactive security improvements to third-party open-source projects that are vital to the health of the entire Internet.

We started with a fairly conservative scope, but said we would expand the program soon. Today, we are adding the following to the list of projects that are eligible for rewards:

All the open-source components of Android: Android Open Source Project

Widely used web servers: Apache httpd, lighttpd, nginx

Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot

Virtual private networking: OpenVPN

Network time: University of Delaware NTPD

Additional core libraries: Mozilla NSS, libxml2

Toolchain security improvements for GCC, binutils, and llvm

For more information about eligibility, reward amounts, and the submission process, please visit this page. Happy patching!

The vulnerability program to improve security on third party software is a great idea. The open source community wants to improve software in the security area. The financial incentive that your team would provide has great potential to advance the program. The patched that are submitted could be a major benefit to the programs listed. Is Google model going forward to open source?